Fix input buffer overflow in wxZip code

Don't crash when reading malformed ZIP files with incorrect field lengths for the extra fields. Closes #17947.
2017-09-13 14:46:11 +02:00 · 2017-09-13 14:46:11 +02:00 · e48676cf4a
commit e48676cf4a
parent d25d2400fc
1 changed files with 10 additions and 1 deletions
--- a/src/common/zipstrm.cpp
+++ b/src/common/zipstrm.cpp
@ -1033,7 +1033,8 @@ bool wxZipEntry::LoadExtraInfo(const char* extraData, wxUint16 extraLen, bool lo
    // seeking for the field with Header ID = 1.
    // (There is not stated in the documentation
    // that it should be the first one in the collection.)
-    while ( extraLen >= 4 )
+    const char* const extraDataEnd = extraData + extraLen;
+    while ( extraData + 4 <= extraDataEnd )
    {
        // Parse extra header
        wxZipHeader hds(extraData, 4);
@ -1041,6 +1042,14 @@ bool wxZipEntry::LoadExtraInfo(const char* extraData, wxUint16 extraLen, bool lo
        wxUint16 fieldLen = hds.Read16();
        if ( fieldID == 1 )
        {
+            // Check that we don't overflow the input buffer.
+            if ( extraData + 4 + fieldLen > extraDataEnd )
+            {
+                wxLogWarning(_("Ignoring malformed extra data record, "
+                               "ZIP file may be corrupted"));
+                return false;
+            }
+
            // Data block for extra field with Header ID = 1 (ZIP64)
            // can have length up to 28 bytes.
            wxZipHeader ds(extraData+4, wxMin(fieldLen, 28));